CentOS 5.1 Miscellaneous Configuration Items
A cheatsheet
to myself for basic things I configure in my server
Robin
Whittle
rw@firstpr.com.au 2008-04-27 (Minor update 2008-10-24
Important update for the namesever config, 2009-05-14)
../
Back to the parent directory concerning web-mail, modifications to
Courier Maildrop etc.
Preliminaries
Before detailing how I installed and
configured the email software, I did some other things to bring the
fresh install up to speed in my system. This page is my
cheatsheet for the next time I do this stuff.
I did all this
work while the new machine was nair.firstpr.com.au on 10.0.0.2, while
the currently operating server gair.firstpr.com.au is on 10.0.0.0, and
with a public IP address via its ADSL link, is operating with the old
RH 7.2 system.
Also, here are some notes which might be useful
for newbies,
The machine boots into X Windows and I log in as
"robin". I can run a terminal from there and log in as root via
"su -". From there I can run Midnight Commander (mc) or anything
else.
I can also switch back to a text-mode (curses)
plain VGA console, not using X Windows. (How to set these up for
more lines and characters than 24 x 80?? To-do: follow this up via
http://lists.debian.org/debian-user/2006/09/msg00484.html
)
From X, Cntrl Alt F1 to Cntrl Alt F6 brings up one of the
plain text consoles. From those, the same combinations switch to
the others, and Cntrl Alt F7 switches back to X.
Updating
the system: installing security updates etc.
The update process is remarkably easy:
yum
update
NFS
links to other machines
Before
setting up NFS, add lines to
/etc/hosts so this machine knows the addresses of others on the LAN,
such as:
10.0.0.1
gair.firstpr.com.au gair
10.0.0.4 egan.firstpr.com.au egan
I
want this machine (now nair but later gair) to be able to read the two
NFS exports from my other linux machine egan. egan has two NFS exports:
/ and /audio. /audio is a separate partition, so it needs a
separate export. (I don't attempt to export egan's /var/log, which is a
separate partition too.)
I add a /nfs directory where I
will add further directories for mounting these two exports for egan:
/nfs/egan
/nfs/egan-audio
When
this is working, the directory /nfs/egan has a directory
/nfs/egan/audio but it is empty. /nfs/egan-audio is the directory
for accessing egan's /audio directory.
Then I add these lines to
/etc/fstab:
egan.firstpr.com.au:/
/nfs/egan
nfs exec,dev,suid,rw 0 0
egan.firstpr.com.au:/audio/
/nfs/egan-audio nfs
exec,dev,suid,rw 0 0
and
give the commands:
mount
/nfs/egan
mount /nfs/egan-audio
Now
I export this machine's / and /audio directories similarly, by adding
these lines to /etc/exports (which is initially empty):
/
10.0.0.0/255.255.255.0(rw,no_root_squash)
/audio
10.0.0.0/255.255.255.0(rw,no_root_squash)
There's
no-doubt a way of exporting them immediately, but this will take effect
on the next boot.
I will copy stuff (mailboxes,
large quantities of other data etc.) from the current gair to this
machine nair, so
I do the above for gair as well.
SAMBA
I want my local Windows machines to be able
to look into, read and write some parts of this machine's file system
once it becomes gair. When it becomes gair, I will configure
/etc/samba/smb.conf .
Configuring
Midnight Commander
Options >
Configuration >
Turn on:
show
backup files and hidden files.
Pause after run: Always.
Maybe
turn on "safe delete"
Midnight
Commander's line-drawing
characters looks bad with PuTTY's default settings. (PuTTY is a nice
Windows program for SSH, telnet etc.
http://www.chiark.greenend.org.uk/~sgtatham/putty/
- with a Unix version available as source code ...). The solution
is to change PuTTY's configuration: Window > Translation >
Received data assumed to be in which character set: from
"ISO-8859-1:1998 (Latin-1, West Europe)" to "UTF-8". I prefer to
use PuTTY from Windows because I like the copy (Shift and drag cursor)
and paste (shift and right click trackball/mouse). Also, the full
set of function keys work directly, including F10 for exit, which is
typically not the case when running it from an Xterm. F9 pulls down one
of mc's menus and then the cursor keys can be used to change the menu
or select an item.
I use a
different colour scheme:
midnight-commander-colors.png
than the usual blue and white. There is a section in "man mc" on
this. This can be done with environment variables, but I
use a new section in the /root/.mc/ini, which needs to be all on
one line with no spaces. That text is here:
midnight-commander-colors.txt
. Reformatted into multiple lines, it is:
[Colors]
base_color=normal=white,black:
selected=black,green:
marked=brightyellow,black:
markselect=white,cyan:
editnormal=white,black:
editbold=yellow,black:
menu=black,cyan:
menuhot=red,cyan:
menusel=white,blue:
menuhotsel=white,blue:
dnormal=black,cyan:
dfocus=white,blue:
dhotnormal=red,cyan:
dhotfocus=red,blue:
input=white,black:
reverse=black,cyan:
executable=brightred,black:
directory=brightgreen,black:
link=lightgray,black:
device=brightmagenta,black:
special=blue,black:
core=green,black
I make one of these colours different
on every machine - gair, egan and my server in the USA. This
gives me a visual cue which machine I am working on when I have
multiple PuTTY sessions with these various machines. The one I
change is "selected". This form:
selected=black,green:
gives
the green backgound and black text of the top section (Left, File,
Command, Options, Right) and the highlight (like a cursor) bar, which
in the image is selecting the file 0-ps-listing. I have a
different background colour for each machine.
To do this
with Midnight Commander's editor, first copy the file
midnight-commander-colors.txt
to the /root/.mc/ directory. Then use mc to select and edit the
ini file. F9 and left arrows brings down the File menu, and from
there it is possible to insert a file. F10 enables the resulting
file to be saved, but better to use File Save As to save it to
ini-color. The File Insert File and File Copy to File are the
closest thing it has to a clipboard between editing differernt files,
since the default filename for both is the same:
/root/mc/cedit/cooledit.clip .
"man mc" has all sorts of
interesting stuff. I should read it some day. (To-do - how
to write the output of man, such as "man mc" to a file? I used to
know, at least for info, rather than man.)
Various
shell scripts
There are a few shell
scripts I keep in /root:
Firstly, two which produce text files
with two differing types of output from ps: 0-ps-listing.sh and
1-ps-listing.sh. Each produces two files with their own names,
and this enables me to compare one state of affairs with another.
0-ps-listing.sh
#!/bin/bash
ps
laxww > 0ps-lax.txt
ps faxww > 0ps-fax.txt
Output
files from the freshly installed machine are:
0ps-lax.txt and
0ps-fax.txt .
I
have another script to write the output of df to a file where I can
view it conveniently. df lists the capacity and usage of the
various aspects of the file system.
SSH
I change the port on which the SSH daemon
accepts incoming sessions. This reduces the amount of attack
attempts. I change the line in /etc/ssh/sshd_config:
#Port
22
to be something like:
Port
99
but not with 99.
Get rid of vi and
install joe
Life is too short for
me to memorise how vi works. I am enough of a geek as it is.
vi
gives no on-screen cues as to what is happening, or how to get out of
the thing.
Note to self: to exit from vi, try one of these:
: q! (Enter)
Cntrl-C
: : q! (Enter)
I install the joe package (Joe's Own Editor)
with "yum install joe" This gets it from (where) over the Net and
installs it. (I first verified it was available by using "yum
list > yum-list.txt", which tells me which packages, are installed
and which are available.
Since some programs automatically fire
up vi to edit some file and I never want to use vi, I change /bin/vi
into a symlink pointing to the joe executable.
Now for the
tricky stuff:
Rename /bin/vi to
/bin/vi-orig
Make /bin/vi a symlink to the joe executable
/usr/bin/joe .
Then, to keep joe happy when it is called by a
file of name "vi", create a symlink called "virc" in /etc/joe (was
/usr/lib/joe/ ) and point it to joerc in that directory.
joe
used to have on-screen help turned on by default. Now it doesn't,
so it is as confusing as vi unless I remember Wordstar's "Control K H"!
Fix this by editing /etc/joe/joerc so that there is a line
without a space at the start, just: "-help".
Updates,
RPMs
and yum
I need to read:
http://www.centos.org/docs/5/html/yum/
Updates are done automatically at 4AM every day?
To
list currently installed and available packages:
yum
list > yum-list.txt
To list the location of files in a
particular package which is
already installed??
This lists the files within an RPM file:
rpm -q -p
<filename> -l
ADSL via PPPoE
via eth1
This is what I did to the
machine called "nair" which will be the new "gair". While I am
getting it ready, another machine is being gair, and is connected to
the Net via a single fixed IP address ADSL connection. When I
switch nair over to be the new gair, I want to be sure the ADSL link
will work. So I need to test it while the machine is still nair,
with its 10.0.0.2 address on the LAN, without disturbing gair, which is
10.0.0.1.
The plan is to set up eth0 and PPP networking so it
looks like it will work. Then I will turn off Postfix on nair.
This is so it doesn't accept any messages while it is connected
to the Net. Then I will try plugging the modem into nair and test
it works. Then I will plug the modem back into the old gair,
while I do thee rest of the work on nair. Finally, I will
disconnect the ADSL modem (though turning off Postfix in the old gair
would suffice), copy over all the emails to nair (which is the last of
the data to be copied) turn off the old gair ("Stop . . . Dave . . . .
. ) and reconfigure a few things in nair (hostname, LAN IP address) so
it is the new gair. Then when I plug the modem into nair, it
should be the new gair and emails can come in, be filtered etc. and
delivered to local user accounts.
Setting up the modem
I am using an
Internode fixed IP address DSL
service, via a Telstra DSLAM.
Initially (this was in
2006) I set up the new modem using a Win2k machine. Here are my
notes on setting up the D-Link DSL-502T "router" (I call it a modem
here, though it is both a modem and a router). This first section
was just to test the ADSL service, which I had not used before:
From the Win2k machine I used an
Ethernet card (the motherboard's Ethernet card was on the LAN) and a
normal cable to the modem. That NIC is set up in Windows to be
DHCP - a client, to obtain its IP address from a DHCP server in the
network it is connected to. I left the LAN cable plugged in,
but modified the properties of that connection so that there was no
default route to the old gair on the LAN (which was connected to the
Net via a 56k modem). This means that when I get this modem
going, the Win2K will be able to access the Net via the ADSL service.
The
modem has such a DHCP server, at least in its out of the box default
configuration. Then I use a web browser to access
http://10.1.1.1, where I find some pages on the modem.
This Internode service uses "PPP0E LLC".
In the WAN
settings
page, entered these details, by a method described below:
- PPPoE/PPPoA
- User
name: xx@internode.on.net
- Password:
yyyyyyyy
- Connection type:
PPPoE LLC
- MRU: 1492 bytes
- Default
Route: Enabled
- ATM VC Setting
- PVC: Pvc0
- VPI:
8
- VCI: 35
- Virtual Circuit: Enabled.
Plug in Ethernet cable and phone line cable.
Fire up http://10.1.1.1 with user
"admin" and password "admin".
In the Home: WAN section, enter the details in red above.
Do
not use the Connect button. Use the
Apply button. The a page comes up
where I Save and Reboot the router.
Wait for the browser page to be refreshed. This can take nearly a
minute.
Home: WAN. It will not be connected yet, but the details are
saved in FLASH. Click the
Connect
button. Hmmm - it didn't connect, but at least it didn't clobber
the details I just put in.
At this point, the Status LED is flashing. The ADSL LED is On
(though it may fluctuate) and so is the Ethernet LED.
Reboot the Windows machine and turn the router off and on.
Now it simply
works. As long as no other network
interface has a default route, it seems
that the Windows machine uses DHCP to get an IP address, network
address, subnet mask, name servers etc. The address the Win2K machine
was given was 10.1.1.2.
I can still use the browser to talk to
the router:
http://10.1.1.1 with user
"admin" and password "admin".
In the DHCP section, I see 10.1.1.2. There are options there for
a "static" DHCP server and for no DHCP server.
On the DNS page there are the two name servers of Internode:
192.231.203.132 and 192.231.203.3. So the modem must have got
these details via PPP from Internode.
This is the usual approach - having the PPP client in the ADSL modem:
http://www.internode.on.net/adsl/faq/using-internode-adsl.htm#faq49
This can support multiple computers by use of an Ethernet
switch.
Each gets a local, private, IP address via DHCP and accesses the Net
via NAT in the ADSL modem.
This is NOT the way I want to
run the modem for the Linux machine. The Linux machine needs to
be the router, doing NAT etc. for the LAN, and having the single fixed
IP address of this ADSL service as its public address.
Now, to
configure the modem ready for use with the Linux machine. These
notes were written in May 2008 based on my May 2006 intitial
configuration notes, which were based on some Internode pages which no
longer exist in 2008. There is no information on the Internode
site for my specific model of modem - DSL-502T.
My service is a
SOHO-High-Power10
.
The general configuration
information at Internode:
states:
ADSL
Username: |
username@internode.on.net |
Encapsulation: |
PPPoA /
VC MUX - Standard ADSL PPPoE / LLC
- ADSL2+ |
Authentication
Method: |
CHAP or
PAP |
Supported Modulation Types: |
G.DMT
(Standard ADSL) G.DMT.bis (ADSL2) G.DMT.bis+ [plus] (ADSL2+)
Annex M (SOHO/Business Plans Only) Multimode (Recommended) |
VPI/VCI: |
8/35 |
Although
I don't think this service is ADSL2+, PPPoE has always worked.
There is a detailed tutorial on PPP over Ethernet by David F.
Skoll at:
http://www.roaringpenguin.com/files/pppoe-slides.pdf
. The DSL-502T was introduced in early 2005 (I think) - the same
time as the DSL-504. Internode has a guide for configuring the
DSL-504
here
. It uses 192.168.0.1 to access the modem/router, whereas
mine uses 10.1.1.1.However this Internode guide is for PPPoA, not
PPPoE. For some reason I can't remember, I believe I need PPPoE.
What
I finaly did was:
At
http://10.1.1.1/cgi-bin/webcm
(still accessing the modem via the Windows machine) this looks pretty
straightforward. Select the WAN button on the
left menu and click the radio button for "Bridge Mode". If the
page reloads to some Wizard thing, do it again until a page appears
with these options:
Connection type:
- 1483 Bridged IP LLC
<<<<<<<< Select this
- 1483 Bridged
IP VC-Mux
The LLC accords with the
"PPPoE(LLC)"
encapsulation, as mentioned in Internode's configuation details and the
fact that we are using a PPPoE client in gair. IF we were using
PPPoA (over ATM) then we would select the other one, because Internode
also support (and prefer) "PPPoA (VC)".
ATM VC Setting
PVC: Pvc0
<<< not one of the others, I
guess. (Manual says don't change it.)
VPI: 8 <<< Default, and as specified by Internode.
VCI: 35 <<< Default, and as specified by Internode.
Virtual Circuit: Enabled <<< Default, so why change it?
By using "Apply" I can write this to FLASH, and then it won't do ADSL
with the Windows machine. Indeed - but the Windows machine, with
its DCHP client, still connects and the web-server in the modem still
works.
There is a lot of stuff under
Advanced, including "Bridge
Filters".
The Tools section has a way to load the configuration to a hard drive
and
restore it. Firmware version
V2.00B02.AU .
Configuring
PPPoE on Linux
Whirlpool's link
farm:
http://whirlpool.net.au/faq-ab.cfm#3.4.3
directed me to Rebecca's guide:
http://www.becsta.net/adsl.html
which in my interpretation boils down to:
Configure the network card - it needs to be
"up" with
no IP address or
anything else. Do not set the interface to "dhcp", use pump or dhcpcd
or anything like that on the interface. A simple "ifconfig eth1 up"
should suffice.
Install rp-pppoe. (rp means Roaring Penguin: .
Run adsl-setup.
Run adsl-start.
"As for routing, let the PPP daemon work it all out. When the PPP
daemon
has negotiated a PPP session, it should set the default route to the be
other end of the ADSL connection."
With Red Hat 7.2 in 2006I had to install the rp-pppoe RPM.
However, I find from "yum --list" that rp-pppoe.i386 3.5-32.1 is
already installed.
This motherboard has two PIC 100Mbps Ethernet
cards, both old but good Intel NICs. They are discovered and
assigned numbers eth0, eth1 etc. in order of the PCI socket they are
in, and for this motherboard, eth0 is nearest the keyboard connector.
eth1 was not configured when I installed CentOS 5.1, and all
there is in terms of configuration at present is the file
/etc/sysconfig/network-scripts/ifcfg-eth1: (See below
for ifcfg-eth0.)
#
Intel Corporation 82557/8/9 Ethernet Pro 100
DEVICE=eth1
BOOTPROTO=dhcp
HWADDR=00:20:35:E7:27:B2
ONBOOT=no
DHCP_HOSTNAME=nair.firstpr.com.au
With
RH7.2, I started with something much more minimal, so I edited this
file to be like the following.
#
Intel Corporation 82557/8/9 Ethernet Pro 100
DEVICE=eth1
HWADDR=00:20:35:E7:27:B2
ONBOOT=yes
In my setup
it was essential to get rid of the BOOTPROTO line. (Maybe
"BOOTPROTO=none" would be fine too.) With it
set to "dhcp", the machine would successfully use dhcp to get an
address from the ADSL modem's dhcp server, which also caused it to get
a nameserver address - an address such as 10.1.1.1 which is the ADSL
modem, and write this to /etc/resolve.conf.
(Saving this
from Midnight Comander's editor lead to a message about hard links - I
did not detach them. I later noticed that these two files
ifcfg-eth0 and ifcfg-eth1 also appear at
/etc/sysconfig/networking/devices/ and
/etc/sysconfig/networking/profiles/default/ .)
Now I run
adsl-setup, with the following hightlights:
login name: my Internode account name,
which looks like an email address: xxx@internode.on.net
interface
eth1
I want this link to stay up permanently, so I enter "no".
Address
of ISP's DNS servers: 192.231.203.3 and 192.231.203.132.
I enter
my password - this is the CHAP password Internode gave me.
User
control: no.
I choose '2' for the Masquerade type of firewall:
NAT, so local LAN machines can access the Net via NAT translation in
this gateway machine, which will have as its IP address on the LAN:
10.0.0.1. Other machines on the LAN will have this address as
their Default Gateway.
Start the connection at boot time? yes.
This
creates a file: /etc/sysconfig/network-scripts/ifcfg-ppp0 and a new
directory /etc/ppp, containing a bunch of stuff,
including /etc/ppp/chap-secrets. More on these new files in a
moment. The program also instructed me:
Congratulations, it should be all set
up!
Type
'/sbin/ifup ppp0' to bring up your xDSL link and '/sbin/ifdown ppp0'
to
bring it down.
Type '/sbin/adsl-status
/etc/sysconfig/network-scripts/ifcfg-ppp0'
to
see the link status.
The files in /etc/ppp/ are (*
means executable in Midnight Commander's display):
/peers
(empty)
chap-secrets 119
May 5 15:09
chap-secrets.bak
78 May 5 15:09
firewall-masq
1042 Jan 7 2007
firewall-standalone 913 Jan
7 2007
*ip-down
386 Jul 11 2006
*ip-down.ipv6to4 3485 Sep
12 2006
*ip-up
430 Mar 20 2006
*ip-up.ipv6to4 6687 Sep
12 2006
*ipv6-down 1916 Sep
12 2006
*ipv6-up 3369 Sep
12 2006
options 5 Mar
15 2007
pap-secrets
118 May 5 15:09
pap-secrets.bak
? 77 May 5 15:09
pppoe-server-options
104 Jan 7 2007
Those of interest are:
/etc/sysconfig/network-scripts/ifcfg-ppp0USERCTL=no
BOOTPROTO=dialup
NAME=DSLppp0
DEVICE=ppp0
TYPE=xDSL
ONBOOT=yes
PIDFILE=/var/run/pppoe-adsl.pid
FIREWALL=MASQUERADE
PING=.
PPPOE_TIMEOUT=80
LCP_FAILURE=3
LCP_INTERVAL=20
CLAMPMSS=1412
CONNECT_POLL=6
CONNECT_TIMEOUT=60
DEFROUTE=yes
SYNCHRONOUS=no
ETH=eth1
PROVIDER=DSLppp0
USER=firstpr@internode.on.net
PEERDNS=no
DEMAND=no
/etc/ppp/chap-secrets
# Secrets for
authentication using CHAP
#
client server
secret
IP addresses
"xxx@internode.on.net"
* "yyyyyyyyy"
/etc/ppp/firewall-masq
#!/bin/sh
#
#
firewall-masq This
script sets up firewall rules for a machine
#
acting as a masquerading gateway
#
# Copyright (C) 2000 Roaring
Penguin Software Inc. This software may
# be distributed under
the terms of the GNU General Public License, version
# 2 or any
later version.
# LIC: GPL
# Interface to Internet
EXTIF=ppp+
ANY=0.0.0.0/0
iptables
-P INPUT ACCEPT
iptables -P OUTPUT ACCEPT
iptables -P FORWARD DROP
iptables
-F FORWARD
iptables -F INPUT
iptables -F OUTPUT
iptables -F -t
nat
# Deny TCP and UDP packets to privileged ports
iptables
-A INPUT -i $EXTIF -d $ANY -p tcp --dport 0:1023 -j DROP
iptables -A
INPUT -i $EXTIF -d $ANY -p udp --dport 0:1023 -j DROP
# Deny TCP
connection attempts
iptables -A INPUT -i $EXTIF -p tcp --syn -j DROP
#
Deny ICMP echo-requests
iptables -A INPUT -i $EXTIF -s $ANY -p icmp
--icmp-type echo-request -j DROP
# Do masquerading
iptables
-t nat -A POSTROUTING -o $EXTIF -j MASQUERADE
echo 1 >
/proc/sys/net/ipv4/ip_forward
echo 1 >
/proc/sys/net/ipv4/ip_dynaddr
/etc/ppp/options
lock
There is also
/etc/resolve.conf
#
MADE-BY-RP-PPPOE
nameserver 192.231.203.3
nameserver
192.231.203.132
To test it, I disable Postfix
"postfix stop" and turn off the default gateway setting which
currently points to 10.0.0.1 (the old gair, which right now has the
modem). In /etc/sysconfig/network I remove the last line:
NETWORKING=yes
NETWORKING_IPV6=yes
HOSTNAME=nair.firstpr.com.au
GATEWAY=10.0.0.1
and
restart networking:
/etc/rc.d/init.d/network restart
but
before I do that, I connect eth1 to the modem. I was surprised to
see this didn't upset the SSH session with PuTTY on the Windows
machine, via which I gave this command. The output was:
Shutting
down interface
eth0:
[ OK ]
Shutting down loopback
interface:
[ OK ]
Disabling IPv4 packet
forwarding: net.ipv4.ip_forward = 0
[ OK ]
Bringing up loopback
interface:
[ OK ]
Bringing up interface
eth0:
[ OK ]
Bringing up interface
eth1:
[ OK ]
Bringing up interface
ppp0:
[ OK ]
Looking in /var/log/messages I was
encouraged by a bunch of stuff, ending with:
May
5 15:38:03 nair pppoe[1079]: PPP session is 7394
May
5 15:38:04 nair pppd[1078]: CHAP authentication succeeded
May
5 15:38:04 nair pppd[1078]: CHAP authentication succeeded
May
5 15:38:05 nair pppd[1078]: local IP address 150.101.162.123
May
5 15:38:05 nair pppd[1078]: remote IP address 150.101.212.16
I
was able to ping my server in the USA, by its IP address - but not by
referring to it as ww.firstpr.com.au.
There must be some
nameserver trouble, but at least I am on the Net with this connection.
Final
transfer of data . . .
Now that
nair (the machine which is about to be gair) is on the Net, but still
has 10.0.0.2 on the LAN (with the old gair with 10.0.0.1, and no ADSL
modem connection to the Net) I decide to transfer all emails from the
home accounts in the old gair to the new machine, and to transfer the
mail filtering commands in each user's .mailfilter file. This
means some editing, since the exact way I call Spamassassin and do the
filtering of spam etc. has changed a little. However, most of the
filtering is to do with mailing lists, and since the new machine has
idential mailboxes to the old, all those filtering commands are copied
directly into the new .mailfilter file. While this is happening,
Postfix is disabled, so incoming messages are either being held at the
sending MTA or being sent to the backup server for this domain, at my
USA-based server.
When I turn this machine into the new
gair (changing its hostname and IP address) and when I get its
nameserver configured correctly, and turn on Postfix, then the messages
will come in to the new machine. The old one will be off the LAN
by then, because the new machine will have 10.0.0.1 and so be the
default gateway for other machines on the LAN.
The emails I
transferred en-mass with a copy of the Maildir directory with Midnight
Commander, using the link to the old gair via /nfs/gair.
(Tar-Gzipping them would have been another option - and then
transferring the single file.) To do this, I needed to add an export of
the /home directory to the old gair, since it was a different
partition. This involved a new line in gair's /etc/exports:
/home
10.0.0.0/255.0.0.0(rw,no_root_squash)
Then in
gair:
/etc/rc.d/init.d/nfs restart
Then
I needed to add a directory in nair: /nfs/gair-home and give it an
entry in nair's fstab:
gair.firstpr.com.au:/home/
/nfs/gair-home
nfs exec,dev,suid,rw 0 0
Then I
mounted it in nair's filing system:
mount
/nfs/gair-home
Then I ran a command in the home
directory of each user to recursively change the user and group of all
the files and sub-directories in Maildir.
chown
-R xxx:xxx Maildir
Then I fixed up the .mailfilter
files, as noted above. I already know the IMAP server works, so I
need to configure Postfix to perform its role in gair.
Changing
the machine over to be the real server
I made the old gair (10.0.01) appear on the
network in another address 10.0.0.3 with another name - oldgair.
To give it its new name and make it use
10.0.0.1 as its default gateway, I changed its file
/etc/sysconfig/network from:
NETWORKING=yes
FORWARD_IPV4=yes
HOSTNAME=gair
GATEWAY=
GATEWAYDEV=ppp0
to:
NETWORKING=yes
FORWARD_IPV4=yes
HOSTNAME=oldgair
GATEWAY=10.0.0.1
GATEWAYDEV=
I also edited the IP address line in
/etc/sysconfig/network-scripts/ifcfg-eth0 and then giving the command /etc/rc.d/init.d/network restart
This
did not change this machine's idea of itself as "gair", so I rebooted
it. Then it knew its new name. (Along with loading a new kernel,
it seems that changing the hostname is something which really does
require a reboot in Linux. Everything else can be done without a
reboot.)
(I probably need to change the hostname specified for
localhost in /etc/hosts too.)
To
change the nair machine (10.0.0.2) to its new role as gair (10.0.0.1) I
did this:
Changed the host name
nair to gair in /etc/sysconfig/network :
NETWORKING=yes
NETWORKING_IPV6=yes
HOSTNAME=nair.firstpr.com.au
(Where was it configured to use 10.0.0.1 as
its gateway -to send packets to when they are not addressed to any
machine on the LAN??)
Then I changed its IP address in /etc/sysconfig/network-scripts/ifcfg-eth0 from
10.0.0.2 to 10.0.0.1:
#
Intel Corporation 82557/8/9 Ethernet Pro 100
DEVICE=eth0
BOOTPROTO=static
BROADCAST=10.0.0.255
HWADDR=00:A0:C9:B2:18:4A
IPADDR=10.0.0.1
IPV6ADDR=
IPV6PREFIX=
IPV6_AUTOCONF=yes
NETMASK=255.255.255.0
NETWORK=10.0.0.0
ONBOOT=yes
I
did not detach hardlinks before saving.
(See below where I
change /etc/hosts - I should have done this now.
Then I rebooted
this machine, and it came to life as gair on 10.0.0.1. (This is
without the ADSL modem being plugged in.)
Without the Ethernet
cable going to the modem, the "Bringing up interface ppp0" takes a
minute or so before it fails and the boot procedure continues.
I
changed a few things so it could do nfs to the other Linux machine, and
the oldgair machine.
Then
I turned off Postfix: "postfix stop" and plugged in the ADSL
modem.
The PPP process doesn't necessarily retry immediately, I
think. I couldn't ping a server outside. So I tried
/etc/rc.d/init.d/network restart This
went well, and I could ping outside servers.
The web browser on
gair could access outside servers, such as mine in the USA, by IP
address - but not by hostname.
Clearly there is something wrong
with gair's nameserver configuration.
Also, the NAT system was
not working - other machines on the LAN which use 10.0.0.1 as their
default gateway could not access the net.
Pinging
localhost revealed that while this machine's logon name (in my root
shell) was gair, when it pinged itself, it reported this as
"nair.firstpr.com.au".
This turned out to be due to
mentioning "nair" in /etc/hosts.
Here is the new version of that
file, with some other machines from the LAN listed as well.
# Do
not remove the following line, or various programs
#
that require network functionality will fail.
127.0.0.1
gair.firstpr.com.au gair localhost.localdomain localhost
::1
localhost6.localdomain6 localhost6
10.0.0.1 gair.firstpr.com.au gair
10.0.0.2
nair.firstpr.com.au nair
10.0.0.4 egan.firstpr.com.au egan
I
rebooted the machine. ping localhost worked fine. It could
ping itself, another machine on the LAN and machines outside, by IP
address. Other machines can ping this one, but none of them can
use DNS and none can ping through this machine to the outside world.
So the NAT system and the nameserver needs fixing.
I see
which services should be running:
chkconfig
--list Here are a few interesting items:
dnsmasq
0:off 1:off 2:off 3:off
4:off 5:off 6:off
httpd
0:off 1:off 2:off 3:off
4:off 5:off 6:off
iptables
0:off 1:off 2:on
3:on 4:on 5:on
6:off
named
0:off 1:off 2:off 3:off
4:off 5:off 6:off
nfs
0:off 1:off 2:off 3:off
4:off 5:off 6:off
postgresql
0:off 1:off 2:off 3:off
4:off 5:off 6:off
smb
0:off 1:off 2:off 3:off
4:off 5:off 6:off
I have not used dnsmasq
before, and I have not yet configured named. I will configure
/etc/exports and turn on nfs. Likewise, I will later configure
Samba and turn on smb. iptables is supposely running, and somehow
the PPP process was supposed to load rules into it to make it do NAT
(IP masquerading). I want to turn on Apache too. So I tun
on various things with chkconfig xxx on and then by manually starting
them with /etc/rc.d/init.d/xxx start.
First httpd. Apache works
fine for machines on the LAN with http://10.0.0.1.
I turn on
dnsmasq the same way, but it won't start (failed to create listening
socket: Address already in use) Restart failed when stopping,
but then was OK for starting. However, I was only trying to
look up hostnames in my own domain. Now, nslookup www.ibm.com
works fine. This machine's web browser is fine accessing
www.ibm.com.
The reason it won't work for my own machines is
that gair is an authoritative nameserver for them, and I haven't yet
set up or even started named!
dnsmasq is not really what I want
(I later turned it off),
so I need to set up named . . . but why isn't NAT working?
I
also changed the courier IMAPD configuration so it would respond to
IMAP requests from the LAN and from localhost. I decided not to
allow IMAP from the outside world. /usr/lib/courier-imap/etc/imapd
ADDRESS=10.0.0.1, 127.0.0.1
/etc/rc.d/init.d/courier-imap
restart.
NAT (IP Masquerading
Firewall)
To find out what is
going on, I list the
rules iptables is using:
iptables -LChain INPUT (policy ACCEPT)
target
prot opt
source
destination
ACCEPT
udp --
anywhere
anywhere
udp dpt:domain
ACCEPT
tcp --
anywhere
anywhere
tcp dpt:domain
ACCEPT
udp --
anywhere
anywhere
udp dpt:bootps
ACCEPT
tcp --
anywhere
anywhere
tcp dpt:bootps
DROP
tcp --
anywhere
anywhere
tcp dpts:0:1023
DROP
udp --
anywhere
anywhere
udp dpts:0:1023
DROP
tcp --
anywhere
anywhere
tcp flags:FIN,SYN,RST,ACK/SYN
DROP
icmp --
anywhere
anywhere
icmp echo-request
Chain
FORWARD (policy DROP)
target prot
opt
source
destination
ACCEPT
all --
anywhere
192.168.122.0/24 state RELATED,ESTABLISHED
ACCEPT
all -- 192.168.122.0/24 anywhere
ACCEPT
all --
anywhere
anywhere
REJECT
all --
anywhere
anywhere
reject-with icmp-port-unreachable
REJECT
all --
anywhere
anywhere
reject-with icmp-port-unreachable
Chain OUTPUT (policy ACCEPT)
target
prot opt
source
destination
In my previous installation
(RH7.2) I used my own ipchains NAT script, which I ran as part of the
boot up sequence. Below is how I adapted that to iptables and
used it on this CentOS 5.1 system.
First, how would the rp-ppoe
system run the firewall script it placed in /etc/ppp/firewall-masq?
I began by listing the
contents of the rp-pppoe RPM:
rpm -ql rp-pppoe
/etc/ppp/firewall-masq
/etc/ppp/firewall-standalone
/etc/ppp/pppoe-server-options
/sbin/adsl-connect
/sbin/adsl-setup
/sbin/adsl-start
/sbin/adsl-status
/sbin/adsl-stop
/sbin/pppoe
/sbin/pppoe-relay
/sbin/pppoe-server
/sbin/pppoe-sniff
/usr/sbin/adsl-connect
/usr/sbin/adsl-setup
/usr/sbin/adsl-start
/usr/sbin/adsl-status
/usr/sbin/adsl-stop
/usr/sbin/pppoe
/usr/sbin/pppoe-relay
/usr/sbin/pppoe-server
/usr/sbin/pppoe-sniff
/usr/share/doc/rp-pppoe-3.5
/usr/share/doc/rp-pppoe-3.5/LICENSE
/usr/share/doc/rp-pppoe-3.5/adsl-connect
/usr/share/doc/rp-pppoe-3.5/adsl-init
/usr/share/doc/rp-pppoe-3.5/adsl-setup
/usr/share/doc/rp-pppoe-3.5/adsl-start
/usr/share/doc/rp-pppoe-3.5/adsl-status
/usr/share/doc/rp-pppoe-3.5/adsl-stop
/usr/share/doc/rp-pppoe-3.5/configs
/usr/share/doc/rp-pppoe-3.5/configs/firewall-masq
/usr/share/doc/rp-pppoe-3.5/configs/firewall-masq.ipchains
/usr/share/doc/rp-pppoe-3.5/configs/firewall-standalone
/usr/share/doc/rp-pppoe-3.5/configs/firewall-standalone.ipchains
/usr/share/doc/rp-pppoe-3.5/configs/pap-secrets
/usr/share/doc/rp-pppoe-3.5/configs/pppoe-server-options
/usr/share/doc/rp-pppoe-3.5/configs/pppoe.conf
/usr/share/man/man5/pppoe.conf.5.gz
/usr/share/man/man8/adsl-connect.8.gz
/usr/share/man/man8/adsl-setup.8.gz
/usr/share/man/man8/adsl-start.8.gz
/usr/share/man/man8/adsl-status.8.gz
/usr/share/man/man8/adsl-stop.8.gz
/usr/share/man/man8/pppoe-relay.8.gz
/usr/share/man/man8/pppoe-server.8.gz
/usr/share/man/man8/pppoe-sniff.8.gz
/usr/share/man/man8/pppoe.8.gz
The
script which looks for "FIREWALL" is /sbin/adsl-connect:
case
"$FIREWALL" in
STANDALONE)
. /etc/ppp/firewall-standalone
;;
MASQUERADE)
. /etc/ppp/firewall-masq
;;
esac
but both
these scripts are not executable at present. Do they need to be?
I
will replace
/etc/ppp/firewall-masq with
my own modified version and see if it works.
A new
version of
/etc/ppp/firewall-masq: I
made it owner root, group root, 755, but probably something more
restrictive would be better.
#!/bin/sh
#
#
firewall-masq This script sets up
firewall rules for a machine
#
acting as a masquerading gateway
#
#
Copyright (C) 2000 Roaring Penguin Software Inc. This software may
#
be distributed under the terms of the GNU General Public License,
version
# 2 or any later version.
#
LIC: GPL
#
RW -------------
#
#
Modifications by Robin Whittle to make it specific to ppp0 and to
#
allow connections from the outside world, except for particular ports,
#
whereas the original version blocked all incoming packets for UDP and
#
TCP ports 0 to 1023.
#
Interface to Internet
# RW EXTIF=ppp+
EXTIF=ppp0
ANY=0.0.0.0/0
#
RW Set the policies for the three tables.
iptables -P INPUT ACCEPT
iptables
-P OUTPUT ACCEPT
iptables -P FORWARD DROP
#
RW Flush existing rules.
iptables
-F FORWARD
iptables -F INPUT
iptables
-F OUTPUT
iptables -F -t nat
# RW We don't do this:
## Deny TCP and UDP packets to
privileged ports
#iptables -A INPUT -i $EXTIF -d $ANY
-p tcp --dport 0:1023 -j DROP
#iptables -A INPUT -i $EXTIF -d $ANY
-p udp --dport 0:1023 -j DROP
#
RW Instead, we allow packets arriving from the external interface on
#
all TCP and UDP ports apart from those we specify below.
#
#
See man iptables:
#
#
-A xxx Add rule for chain xxx.
#
#
-i Interface.
#
#
-d Destination IP
address or range, with subsequent number meaning port or port range.
#
eg -d 0.0.0.0/0 1:1023
#
#
-s Likewise source.
#
#
-p Protocol.
#
#
-j Jump to something
like DENY or Masquerade.
#
#
First, refuse to forward any IP addresses from outside which have
#
destinations in a private network range.
iptables -A INPUT -i $EXTIF -d
10.0.0.0/8 -j DROP
iptables
-A INPUT -i $EXTIF -d
172.16.0.0/12 -j DROP
iptables
-A INPUT -i $EXTIF -d
192.168.0.0/16 -j DROP
# Now deny specific ports:
#
FTP
iptables -A INPUT -i $EXTIF -d $ANY -p
tcp --dport 21 -j DROP
iptables
-A INPUT -i $EXTIF -d $ANY -p udp --dport 21 -j DROP
#
NFS
iptables -A INPUT -i $EXTIF -d $ANY -p
tcp --dport 111 -j DROP
iptables -A INPUT -i $EXTIF -d $ANY -p
udp --dport 111 -j DROP
#
Samba
iptables -A INPUT -i $EXTIF -d $ANY -p
tcp --dport 139 -j DROP
iptables -A INPUT -i $EXTIF -d $ANY -p
udp --dport 139 -j DROP
#
More NFS guff
iptables -A INPUT -i $EXTIF -d $ANY -p
tcp --dport 1011 -j DROP
iptables -A INPUT -i $EXTIF -d $ANY -p
udp --dport 1011 -j DROP
iptables
-A INPUT -i $EXTIF -d $ANY -p tcp --dport 1024 -j DROP
iptables
-A INPUT -i $EXTIF -d $ANY -p udp --dport 1024 -j DROP
iptables -A INPUT -i $EXTIF -d $ANY -p
tcp --dport 1025 -j DROP
iptables -A INPUT -i $EXTIF -d $ANY -p
udp --dport 1025 -j DROP
#
MySQL
iptables -A INPUT -i $EXTIF -d $ANY -p
tcp --dport 21 -j DROP
iptables
-A INPUT -i $EXTIF -d $ANY -p udp --dport 21 -j DROP
# Many others to go here?
#
RW We don't do this:
#
##
Deny TCP connection attempts
#iptables -A INPUT -i $EXTIF -p tcp
--syn -j DROP
#
RW Or this!
#
##
Deny ICMP echo-requests
#iptables -A INPUT -i $EXTIF -s $ANY
-p icmp --icmp-type echo-request -j DROP
# Do masquerading
iptables
-t nat -A POSTROUTING -o $EXTIF -j MASQUERADE
echo
1 > /proc/sys/net/ipv4/ip_forward
echo
1 > /proc/sys/net/ipv4/ip_dynaddr
Configuring
named
Important update 2009-05-14It is vital that the caching namesever
functions only be available to servers on the LAN. When I wrote
this page, I didn't think about this. What I wrote sets named up
to be a recursive nameserver which responds to queries from the entire
Internet. This is known as an Open Recursive Nameserver (but for
search-engine-bait: "open nameserver").
This means an attacker
can use the nameserver as part of a DDoS attack (Distributed Denial of
Service). Let's say the attacker's victim is at 11.22.33.44.
The attacker sends a packet to my nameserver with a spoofed
source address of 11.22.33.44. The request causes my nameserver
to send the reply to that address.
I found this
happening, every few seconds, for the one victim address. The
request was for a long TXT answer from a particular domain, operated by
the attacker, to make the reply packet nice and long. The
attacker's request packet to my server was short (71 bytes) and my
server was sending a reply packet to the victim IP address, consisting
of two 1492 byte packets and one of 1165 bytes. This was
happenning every few seconds. So my nameserver was acting as a
58:1 amplifier of the effort of this attacker. The burden of
packets on the destination IP address would have been immense, assuming
many other nameservers such as mine were being used in the same way.
More
on this at:
A
partial answer is to include the following line in named.conf:
allow-recursion
{ 10.0.0.0/8; };
This goes anywhere in the "options
{ . . . };" section.
It prevents named from properly answering
any
queries for domains other than the ones it is authoritative for, when
the requests originate from outside my LAN.
This was suggested
by the section 5.2.1 of the above-linked report. The format
for the "address_match_list" for bind 9 is at
http://www.bind9.net/manual/bind/9.3.2/Bv9ARM.ch06.html#address_match_lists
.
However .
. . . . . the nameserver still responds with a shorter
message, including the "hints" file - the list of root nameservers.
So when configured like this, there are less bytes sent to the
victim, but still more than the attacker sent, so there is still
amplificatation of the attacker's efforts.
The real solution is
more complex - and I haven't yet implemented it: "split views", along
the lines of:
I
am not sure yet whether this would stop the server replying with the
hints file.
This machine has the
zonefiles for several domains and is one of the two authoritative
servers for those domains. The other is my USA-based server:
sf.firstpr.com.au.
named needs to be set up here as a caching
nameserver to handle queries from machines on the LAN and then to be
use the zonefiles, and allow sf.firstpr.com.au to update itself from
these files.
There is no /etc/named.conf. man named
includes this:
It is not
necessary to run named in a chroot environment if the Red Hat SELinux
policy for named is enabled. When enabled, this policy is far more
secure than a chroot environment.
I turned off SELinux, so I
guess I should use the chroot approach, which involves files in
/var/named/chroot/var/named/ .
Also:
With this extra security comes some
restrictions: By default, the SELinux policy does not allow named to
write any master zone database files. Only the root user may create
files in the $ROOTDIR/var/named zone database file directory (the
options { "directory" } option), where $ROOTDIR is set in
/etc/sysconfig/named.
/etc/sysconfig/named currently has:
ROOTDIR=/var/named/chroot .
I need to rewrite my named
configuration since it was bind8 in RH7.2 and this is bind9 in CentOS
5.1.
Red Hat have a GUI program system-config-bind to generate
the /etc/named.conf file. This is in a package
"system-config-bind" which was not installed. So I install it:
"yum install system-config-bind". I was hoping to avoid
depending on any GUI stuff. I figure if I knew plenty about
bind9 I wouldn't need it, but life is too short . . .
system-config-bindIt finds no BIND configuration and so asks
to install a default configuration. OK.
This does not
create an /etc/named file. This creates the following in
/var/named/chroot/etc/named.conf:
// Red Hat BIND Configuration Tool
//
// Default initial "Caching Only" name
server configuration
//
options {
directory "/var/named";
dump-file
"/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
/*
* If there is
a firewall between you and nameservers you want
* to talk to, you might need to uncomment the query-source
* directive below. Previous versions of BIND always asked
* questions using port 53, but BIND 8.1 uses an unprivileged
* port by default.
*/
// query-source address * port 53;
};
zone "." IN {
type hint;
file "named.root";
};
zone "localdomain." IN {
type master;
file
"localdomain.zone";
allow-update {
none; };
};
zone "localhost." IN {
type master;
file
"localhost.zone";
allow-update {
none; };
};
zone "0.0.127.in-addr.arpa." IN {
type master;
file "named.local";
allow-update { none; };
};
zone
"0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa."
IN {
type master;
file
"named.ip6.local";
allow-update {
none; };
};
zone "255.in-addr.arpa." IN {
type master;
file
"named.broadcast";
allow-update {
none; };
};
zone "0.in-addr.arpa." IN {
type master;
file "named.zero";
allow-update { none; };
};
include "/etc/rndc.key";
The
following files and empty directories are in
/var/named/chroot/var/named/ :
/data 4096 Aug
26 2004
/slave 4096 May
6 17:14
/slaves 4096 Jul
28 2004
localdomain.zone
208 Apr 29 2005
localhost.zone
195 Apr 29 2005
named.broadcast
427 Apr 29 2005
named.ip6.local
424 Apr 29 2005
named.local
426 Apr 29 2005
named.root
1276 May 6 17:14
named.zero
427 Apr 29 2005
I
try the GU program's "New" menu item and try adding a new zone:
Internet (click OK) Forward (click OK, then enter a dummy zonefile name
for now "blah.com." - note the trailing dot) Master (click OK).
The next window has a bunch of stuff which goes in the zone file.
I leave the defaults, but am not sure what to do with the Zone
File Path, which is currently "blah.com.db". It seems this is the
name of the file it is going to write. When I click OK, a new
item appears in the list in the main window of the program: "blah.com".
Nothing has been written to /var/named/chroot/var/named/ yet.
But if I click the Save button, then a file is created there:
blah.com.db :
$TTL 1H
@
SOA gair.firstpr.com.au.
root.gair.firstpr.com.au. ( 2
3H
1H
1W
1H )
NS gair.firstpr.com.au.
Also,
this has been added to /var/named/chroot/etc/named.conf :
zone
"blah.com." IN {
type master;
file "blah.com.db";
};
This looks
compatible with the way I specified the zone files in my old
/etc/named.conf. The ".db" in the zonefile name is just a
convention and is not needed.
Back at the GUI program, I can
select this "blah.com" Internet Forward Zone and add things to it by
right-clicking it. I try adding a second nameserver, the text
name of my US machine "sf.firstpr.com.au". The GUI program
stupidly appends "blah.com." to the end of it . . . I edit it to
"sf.firstpr.com.au." and it is happy. After clicking "Save", the
blah.com.db file becomes:
$TTL 1H
@
SOA gair.firstpr.com.au.
root.gair.firstpr.com.au. ( 3
3H
1H
1W
1H )
NS gair.firstpr.com.au.
IN 1H
NS sf.firstpr.com.au.
Note
the 2 became 3 - this is the serial number or whatever by which named
recognises that the file is different from what was there before.
This
format for the second authoritative nameserver is a little different
from what is in my old zonefiles:
IN NS gair.firstpr.com.au.
IN NS sf.firstpr.com.au.
I am trying to figure out
to what extent I can copy the old zone files. I guess I can . . .
I
try adding an A (IPv4 address), without using the "Create Reverse
Mapping Record". This is for "www.blah.com." with a caching time
of 1 hour 7 minutes and an IP address of 12.34.56.78. Each time I
use Save, there is a backup file is created in the same directory with
the same name but with the date and time appended to the name.
These could clutter things up, but they are easily deleted
manually.
Now the file is like this:
$TTL
1H7M
@
SOA gair.firstpr.com.au.
root.gair.firstpr.com.au. ( 4
3H
1H
1W
1H7M )
NS gair.firstpr.com.au.
IN 1H7M
NS sf.firstpr.com.au.
www
IN 1H7M
A 12.34.56.78
Hmmm - that one "1 hour 7
minutes" for this one item affected the caching time of the whole
zonefile.
I add an MX record. The default caching time is
now "1 hour 7 minutes". I enter one with priorty 10
"gair.firstpr.com.au.". Since I used a dot at the end of the
name, the GUI program didn't append "blah.com.". I added another
with priority 20 "sf.firstpr.com.au."
I added an A record for
"blah.com." = 33.44.55.66 and the resulting file was:
$TTL 1H7M
@
SOA gair.firstpr.com.au.
root.gair.firstpr.com.au. ( 6
3H
1H
1W
1H7M )
NS gair.firstpr.com.au.
IN 1H7M
NS sf.firstpr.com.au.
IN 1H7M
MX 10
gair.firstpr.com.au.
IN 1H7M
MX 20
sf.firstpr.com.au.
IN 1H7M
A 33.44.55.66
www
IN 1H7M
A 12.34.56.78
This
looks good. I recall that in bind8 at least, the unnamed IN
record for the host name with the same name as the domain must come
before the others. Still, this is not a complete file, if I was
doing it for firstpr.com.au instead, since I would need to specify the
IP addresses of gair and sf as well.
It is not clear how to use
the GUI program to add a subdomain. In bind8 I did it like this:
; Subdomain exp.firstpr.com.au
exp
IN NS
gair.firstpr.com.au.
IN NS
sf.firstpr.com.au.
Apart from these caching time
"1H7M" things, the new file format looks compatible with my old ones.
So I will try copying those zone files to
/var/named/chroot/var/named/ and adding the same text as I used before,
for each, in /var/named/chroot/etc/named.conf .
First, I
want to see how I can use the GUI program to specify an Access Control
List so the one IP address which named on the US server uses will be
allowed to retrieve updated information for the various zones for which
it is a slave.
At the top of the GUI window list is "DNS
Server". By right clicking this (I can start this server with one
of these right-click options . . . ) I can add an "Access Control
List". I give the list the name "sf-firstpr" and the IP address
72.36.140.10. After "Save", the new line in
/var/named/chroot/etc/named.conf: is immediately after the first few
lines of comments: (Did it convert "-" to "."?)
acl
sf.firstpr {
72.36.140.10;
};
I also add
"Controls": addresses to listen on: 150.101.162.123 (the IP address of
the ADSL service) with port 53, not port "953" as the GUI program
presented as the default value. Clicking OK at the bottom leads
to an error message in the xterm I gave the initial command in.
The problem is with DNS.py and is "invalid literal for int(): ort
53". I try again with 953 and get the same message, but for "rt
953". So this part of the program is buggy.
So far the
results of this system look compatible with my old file fomat, so I
abandon this GUI program and copy the old config stuff.
I
deleted the "blah.com.db" file and its backups, but this turned out to
be incomplete - since system-config-bind would not start after that.
This was fixed by removing the relevant lines in
/var/named/chroot/etc/named.conf .
I copy the old zone files to
the new directory, remove the blah.com.db file, add lines such as this
to /var/named/chroot/etc/named.conf:
zone
"firstpr.com.au" in {
type master;
file "firstpr.com.au";
};
My new
/var/named/chroot/etc/named.conf file starts with the ACL to allow the
US server to access these zonefiles:
//
Red Hat BIND Configuration Tool
//
//
Default initial "Caching Only" name server configuration
acl
sf.firstpr {
72.36.140.10;
};
options
{
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
/*
* If there is a firewall between you and nameservers you want
* to talk to, you might need to uncomment the query-source
* directive below. Previous versions of BIND always asked
* questions using port 53, but BIND 8.1 uses an unprivileged
* port by default.
*/
//query-source address * port 53;
// RW -----------------------
//
// I added these two:
allow-transfer { sf.firstpr; };
listen-on { 150.101.162.123;
10.0.0.1;
127.0.0.1; };
allow-recursion { 10.0.0.0/8; };
// See Important Update above
};
At the end, I
add
references to zonefiles like this:
zone
"astroneu.com" in {
type master;
file "astroneu.com";
};
zone "firstpr.com.au" in {
type master;
file "firstpr.com.au";
};
and start named:
/etc/rc.d/init.d/named
restart
Stop failed, since it wasn't running.
Once I fixed some typos, Start worked fine too. Problems
with it starting are explained in /var/log/messages.
So named is
running fine.
Final configuration of Postfix
(I will tackle Postfix configuration with
the SPF later - to help reduce the backscatter messages my system
generates.)
The machine is on the Net, with its fixed IP
address, nameserver, IMAP server and LAN working, but not yet NAT . . .
Mail
filtering should be OK. I just need to configure Postfix to run
as gair, rather than the test machine nair, and start it.
In
/etc/postfix/main.cf I add or alter the following items.
This is
probably not needed:
myhostname = gair.firstpr.com.au
Maybe
this isn't needed either, but I like to make it explicit.
myorigin
= firstpr.com.au
This is needed, the other domains for
which this machine is the primary or seconary mailserver:
mydestination
= firstpr.com.au astroneu.com
The Trust and Relay
Control section is really important. I tell Postfix to trust
machines on the LAN.
mynetworks = 10.0.0.0/24
There
is some information on setting up two Postfix machines to be primary
and backup mailhosts:
http://www.akadia.com/services/postfix_mx_backup.html
. I don't use the transport_maps portion of this.
I
understand it has long been standard practice to have at least one
backup mailserver for each domain, however I understand that another
school of thought is to have only one mailserver, and rely on sending
MTAs to hold their messages for a while if the one mailserver is down.
If this occurs, there is no real purpose in having a backup,
since no-one plans to have their mailserver down for longer than the
week or so (?) that an MTA will try to send the message for.
Spammers often send messages to the backup mailserver, if there is one.
Since
all the domains for which these two servers are primary and secondary
for are listed in my "mydestination" variable, as just mentioned, all
that needs to be in both machine's main.cf files is:
relay_domains
= $mydestination
smtpd_recipient_restrictions =
permit_mynetworks, check_relay_domains
This is based on a file which is no longer in the Postfix
distribution: /etc/postfix/samples/sample-smptd.cf. Google can't
find such a file on the site
http://www.postfix.org
but there is a copy at:
http://www.paccomp.com/postfix/node28.html
So perhaps this is not the way to do backup mailservers with the
current version of Postfix.
Now I restart Postfix . .
. /etc/rc.d/init.d/postfix restart
/var/log/maillog shows
messages coming in from the outside world, as well as a test message I
sent myself. They are not being delivered since I have a syntax
error in my .mailfilter file . . . I fix it - and all is
well.
x